Legal thoughts, since 2005.

Here is a recent Daily Record column. My past Daily Record articles can be accessed here.

*****

Lawyers should be concerned about a new Gmail security issue: here’s how to fix it

If you’ve been reading my column over the years, you already know that unencrypted email is inherently unsecure and that it’s no different than sending a postcard written in pencil through the post office. Despite this fact, in the mid-1990s, bar ethics committees, including the New York State Committee on Professional Ethics, gave lawyers the green light to use email for confidential client communications.

Of course, as I’ve explained many times before, as technology changes, so too do expectations regarding security and the ethical duty to maintain confidentiality. As a result, email is slowly falling out of favor as an accepted method of secure attorney/client communication. The most recent evidence of this trend was the issuance of Formal Opinion 477 by the American Bar Association last year, wherein the Ethics Committee concluded that unencrypted email may not always be sufficient for client communication.

More recently, in early July, news reports revealed that emails sent and received by Gmail users can sometimes be read by third party apps and their developers - not just machines. The reason this matters is because it was previously believed that the emails of people who used the free version of Gmail email were only scanned by machines in order to serve up relevant ads.

This newfound revelation is an important one for New York lawyers who use the free version of Gmail (as opposed the paid version - GSuite - which doesn’t serve up ads to users, and thus emails aren’t scanned by Google). This is because the scanning of emails to provide ads was determined to be permissible by the New York State Bar Association in 2008, when the Committee on Professional Ethics concluded that since the contents of emails were being processed by a machine, not a person, for the limited purpose of serving up relevant content, it was ethically permissible to use Gmail for confidential client communications. (New York State Bar Association’s Committee on Professional Ethics Opinion 820-2/08/08).

In other words, if you’re using the free version of Gmail to communicate with clients, and have knowingly or unknowingly granted third party apps access to your Gmail account, you may now be violating your ethical obligation to maintain client confidentiality. And, on the flip side, even if you haven’t granted access to third party apps, if any of your clients use the free version of Gmail, it’s possible that they’ve done so and are now allowing third parties to view confidential email communications.

So if you or your clients use the free version of Gmail, you’ll need to take steps to ensure that your communications are secure. One way to accomplish this goal is to choose a different method of communication altogether. Since unencrypted email is inherently unsecure, regardless of the email provider, why not switch to secure client portals instead? Client portals, which are often built into law practice management software, provide a secure and efficient way for lawyers to communicate and collaborate with clients. With client portals, the cumbersome back and forth process of unsecure, threaded emails is a thing of the past and is instead replaced by the ability to securely communicate in an encrypted, controlled online environment.

Alternatively, switch to the paid version of Gmail, GSuite, or lock your free version down, and ask your clients do the same. If your choice is the latter, you’ll need to head over to Google’s Security Check-up page (online: https://myaccount.google.com/security-checkup/3) and revoke the access that any third party apps may have to your account. Your clients will need to do the same.

Regardless of the path that you take, keep in mind that as a New York attorney, you have an ethical duty to maintain technology competence. And, ensuring that the technologies that you use to communicate with clients are secure is an important part of that obligation. It’s not always easy to find the time to learn about new and emerging technologies, but it’s important that you do so. Make it a priority to learn something new each day, whether it’s from blogs, books, or CLEs.

Like it or not, taking steps to understand technology is now part of practicing law in the 21st century. The good news is that at the end of the day, maintaining technology competence will make you a better, more informed, and more efficient attorney.

Here is a recent Daily Record column. My past Daily Record articles can be accessed here.

*****

Smartphones have become central to the lives of most Americans. We count on our phones to keep us connected to the world. Because our phones handle so many pivotal functions for us, we’ve become increasingly reliant on them. They’ve have become so much a part of our day-to-day lives that, if you’re anything like me, you feel a bit lost when you realize you’ve misplaced your phone.

Our phones are important to us because of their utility, in part because they instantaneously provide us with incredibly relevant and up-to-date data and information about the world around us. Of course, much of that usefulness is derived from the massive amounts of personal data collected by our phones and the apps running on them. That data serves as the basis for a more personalized and functional experience.

Unfortunately, the very same data the makes our phones so valuable to us can also be used against us, sometimes by criminals, and other times by law enforcement. Last month, the United States Supreme Court considered the latter situation in Carpenter v. U.S., No. 16-402, 585 U.S. ____ (2018). At issue was whether governmental access to historical geolocation cell phone data in order to ascertain a user’s movements constitutes a search.

Importantly, at the outset, the Court explained that careful vigilance was required when applying Fourth Amendment jurisprudence to the technological advancements that provide law enforcement with increasingly invasive access to personal information: “We have kept…Founding-era understandings in mind when applying the Fourth Amendment to innovations in surveillance tools. As technology has enhanced the Government’s capacity to encroach upon areas normally guarded from inquisitive eyes, this Court has sought to ‘assure preservation of that degree of privacy against government that existed when the Fourth Amendment was adopted.’”

The Court then turned to an examination of the specific type of information at issue in the case at hand: cell phone geolocation data. The Court noted that it is nearly impossible for users to prevent the collection and storage of their phone’s geolocation data: “Apart from disconnecting the phone from the network, there is no way to avoid leaving behind a trail of location data. As a result, in no meaningful sense does the user voluntarily “assume the risk” of turning over a comprehensive dossier of his physical movements.”

Next the Court considered whether stored geolocation data was protected by the Fourth Amendment and concluded the it was: “Given the unique nature of cell phone location records, the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection. Whether the Government employs its own surveillance technology as in Jones or leverages the technology of a wireless carrier, we hold that an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through (cell phone location information).”

The Court explained that because there is an expectation of privacy in a phone’s geolocation data stored on third party servers, a warrant is required in order for the government to access it: “The Government’s acquisition of the cell-site records was a search within the meaning of the Fourth Amendment…Having found that the acquisition of Carpenter’s CSLI was a search, we also conclude that the Government must generally obtain a warrant supported by probable cause before acquiring such records.”

Of note, the Court clarified that although a warrant is generally required to access stored geolocation data, said requirement was inapplicable in the face of exigent circumstances.

Finally, the Court wisely recognized its duty to “ensure that the ‘progress of science’ does not erode Fourth Amendment protections.” Given the rapid rate of technological advancement that we’ve seen over the past decade and the fact the pace of change will only increase exponentially in the years to come, this acknowledgement was reassuring.

Technology provides incredible benefits, but privacy issues abound. Protections from unfettered governmental access to the increasingly personal data collected by our phones are needed now more than ever. The Court’s holding in this case strikes the right balance and provides much-needed guidance in the midst of a turbulent and increasingly invasive technological landscape.

I often write articles and blog posts for other outlets and am going to post a round up here from time to time (but won't include my weekly Daily Record articles in the round up since I re-publish them to this blog in full). Here are my posts and articles from June 2018:

Here is a recent Daily Record column. My past Daily Record articles can be accessed here.

*****

Pennsylvania court on social media evidence authentication

Social media use is pervasive. People communicate online many times everyday. Importantly, those online interactions create digital footprints that can prove to be invaluable - and sometimes detrimental to - litigation.

Of course, the somewhat transient and unverifiable nature of online engagement can present problems for lawyers seeking to use social media evidence during litigation. Because it’s so easy for people to interact anonymously or to impersonate others online, lawyers sometimes encounter difficulties when attempting to authenticate social media evidence at trial.

The Superior Court of Pennsylvania recently provided some guidance in this regard in Commonwealth v. Mangel, 2018 PA Super 57 (2018). In this case, the court was tasked with determining what proof was required to authenticate “social media evidence, such as Facebook postings and communications.”

In reaching its decision, the Court reviewed Pennsylvania appellate court cases that addressed the level of proof needed to authenticate other types of electronic evidence, such as text messages and emails. The Court acknowledged that although social media information is similar to other electronic evidence, it also poses unique challenges “because of the great ease with which a social media account may be falsified, or a legitimate account may be accessed by an imposter.” For that reason, the authentication process for social media evidence must necessarily address those issues and provide a level of certainty regarding account ownership and authorship issues.

Of course the issue then becomes: What level of certainty is required to sufficiently eradicate any doubts regarding those issues? The prosecution asserted that the trial court applied the incorrect standard in this regard when it considered whether there was a “reasonable degree of certainty, reliability, scientific, technological certainty” that the Commonwealth had satisfied the requirements for authentication of the Facebook records.”

Notably, the Court disagreed with the prosecution, concluding that the trial court applied the correct standard: “(I)t is clear that the trial court…applied the proper standard in determining whether the Commonwealth had presented sufficient direct or circumstantial evidence that Mangel had authored the Facebook messages in question.”

Next, the court clarified how to apply that standard to social media evidence, and provided guidance for lawyers seeking to authenticate social media postings: “Initially, authentication…(of) social media evidence is to be evaluated on a case-by-case basis to determine whether or not there has been an adequate foundational showing of its relevance and authenticity…Additionally, the proponent of social media evidence must present direct or circumstantial evidence that tends to corroborate the identity of the author of the communication in question, such as testimony from the person who sent or received the communication, or contextual clues in the communication tending to reveal the identity of the sender.”

Finally, the Court applied that standard to the case at hand, upholding the trial court’s determination that the prosecution failed to properly authenticate the social media evidence at issue: “(T)he Commonwealth presented no evidence, direct or circumstantial, tending to substantiate that Mangel created the Facebook account in question, authored the chat messages, or posted the photograph of bloody hands. The mere fact that the Facebook account in question bore Mangel’s name, hometown and high school was insufficient to authenticate the online and mobile device chat messages as having been authored by Mangel. Moreover, there were no contextual clues in the chat messages that identified Mangel as the sender of the messages.”

So, whether you practice in Pennsylvania or elsewhere, the guidance provided by the Court in this case is instructive. If your client’s case hinges on a particular piece of evidence obtained online, the more proof you can offer to establish the identity of the person responsible for creating the online posting, the better. A multi-faceted approach to establishing authorship is advisable rather than relying on forensic or contextual evidence alone. Certainly forensic evidence alone will be enough in some cases, but not all - and as I always say, better safe than sorry.

Here is a recent Daily Record column. My past Daily Record articles can be accessed here.

*****

Fourth Amendment ramifications of Facebook “searches” by police

I’ve written extensively in the past about the ethical obligations of lawyers who seek to obtain evidence using social media. The specific issues addressed in ]that context are irrelevant for the purposes of this column, but of note is that all of the ethical opinions on the topic of lawyers mining social media for evidence differentiate between publicly available information and that which is only accessible behind a privacy wall. In other words, the rules are different when lawyers or their agents seek to connect with someone online via a social network in order to view posts that can only be viewed by a person’s connections or “friends.”

But what happens when law enforcement officers seek to do the same thing - obtain social media evidence that can only be accessed behind a privacy wall? One of the more interesting issues to consider is whether the conduct constitutes a search, and if so, does “friending” someone in order to view information behind a privacy wall - in the absence of a warrant - violate the Fourth Amendment?

That very issue was addressed in Everett v. Delaware, No. 257, 2017. The question asked of the court was: “When a person voluntarily accepts a “friend” request on Facebook from an undercover police officer, and then exposes incriminating evidence, does the Fourth Amendment protect against this mistaken trust?”

In this case, a police detective created a fake Facebook profile and eventually sent the defendant a “friend” request, which was accepted. The detective then monitored the defendant’s Facebook account for 2 years, viewing it 1 to 3 times per week. The defendant had a number of violent felony convictions and was thus unable to possess firearms. Shortly after he posted a photo to Facebook that included firearms, among other items, the detective applied for a warrant to search the defendant’s home, which was granted. The subsequent search resulted in evidence that was later used to prosecute the defendant for numerous felonies. The defendant was convicted after trial and this appeal challenging the constitutionality of the original search of his home was filed.

In reaching its decision, the Court applied a 2-step inquiry. Its first task was to ascertain whether the Facebook monitoring violated the Fourth Amendment or Article I, Section 6 of the Delaware Constitution. If so, then its remaining task was to, after removing the tainted evidence from the warrant affidavit, determine whether the information remaining provided a neutral magistrate with probable cause to issue a search warrant.

The Court did not reach the second step of the inquiry since it concluded that the defendant did not have a reasonable expectation of privacy when he shared information with people that he chose to make his Facebook friends. The Court explained that the defendant “assumed the risk” that one of his “friends” might be an undercover officer:

“(T)he Fourth Amendment does not guard against the risk that the person from whom one accepts a ‘friend request’ and to whom one voluntary disclosed such information might turn out to be an undercover officer or a ‘false friend.’ One cannot reasonably believe that such ‘false friends’ will not disclose incriminating statements or information to law enforcement—and acts under the risk that one such person might actually be an undercover government agent. And thus, one does not have a reasonable expectation of privacy in incriminating information shared with them because that is not an expectation that the United States Supreme Court has said that society is prepared to recognize as reasonable.”

In other words, caveat emptor: social media-users beware. The lesson to be learned is to only share information with your online “friends” that you would readily share with a law enforcement officer. After all, as I always say, better safe than sorry!

Search

disclaimer

This site is intended purely as a resource guide for educational and informational purposes and is not intended to provide specific legal advice. This site should not be used as a substitute for competent legal advice from a professional attorney in your state. The use and receipt of the information offered on this site is not intended to create, nor does it create, an attorney-client relationship.

Please feel free to contact me via e-mail or otherwise. However, please be advised that an attorney-client relationship is not created through the act of sending electronic mail to me.

The comments on this blog are solely the opinions of the individuals leaving them. In no way does Legal Antics or Nicole L. Black endorse, condone, agree with, sponsor, etc. these comments.

Further, any information provided on this blog or in the comments should be taken at your own risk.